Community discussions

MikroTik App
 
rekholm
newbie
Topic Author
Posts: 44
Joined: Mon Sep 21, 2009 8:09 pm

PEAP Help - Screenshots?

Fri May 28, 2010 6:04 pm

I am trying to implement PEAP over wireless here in our company, and am still having problems. It looks like the only way to make it work (fairly) seamlessly, is to create a Hotspot, use Radius auth, then route all of the traffic through that way. Am I wrong?
Since our company uses a Cisco ACS (Access Control Server), I'm a bit confused about how to set it all up. Ideally I would rather be able to use a Security Profile that says pass all requests to the ACS or Radius Server, and let the Mikrotik just be the middleman.

Is that possible? I'm pretty new, so I apologize now if this seams basic for some of you.
I'd like to think I have searched pretty much throughout the forum,and can't come up with a working solution.


Does anyone have some screenshots of how they set yours up?


Thanks to the community!!

Rod Ekholm
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: PEAP Help - Screenshots?

Sat May 29, 2010 12:22 pm

Go to /radius and set up the ACS server as a RADIUS server for the wireless service (rather than Hotspot or login). Then enable WPA or WPA2 in their Enterprise versions right on the AP for association and use PEAP.

Caveat: I don't use wireless on Mikrotik and don't know if it supports PEAP.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: PEAP Help - Screenshots?

Mon May 31, 2010 2:56 pm

Since our company uses a Cisco ACS (Access Control Server), I'm a bit confused about how to set it all up. Ideally I would rather be able to use a Security Profile that says pass all requests to the ACS or Radius Server, and let the Mikrotik just be the middleman.
Yes, it is what you need to configure on MikroTik AP, which should be middleman between RADIUS server and client [non-MikroTik].

Basic settings for the MikroTik AP wireless interface,
/interface wireless security-profiles add authentication-types=wpa2-eap eap-methods=passthrough      
/radius client should point to your RADIUS server.

Wireless client should have proper settings for used EAP method.
 
rekholm
newbie
Topic Author
Posts: 44
Joined: Mon Sep 21, 2009 8:09 pm

Re: PEAP Help - Screenshots?

Tue Jun 01, 2010 8:06 pm

sergejs -
When I do this config, they TYPE selected defaults to NONE. It sent me thru the network just fine,but never did hit the RADIUS, therefore, never really authenticating against it. I changed this to Dynamic, and get a "VALIDATING IDENTITY" on my wireless clients, but when I look at the Radius Status, it never seems to try and latch to the radius server.

Also, We don't use any sort of accounting here... do I need to have nay of the check boxes on the Radius tab checked? I was under the impression that is all I had to do, was have the shared secret in the RADIUS setup, and it should try to go.


Thanks.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: PEAP Help - Screenshots?

Wed Jun 02, 2010 7:58 am

Additionally you need to set enabled radius-mac-authentication.
 
rekholm
newbie
Topic Author
Posts: 44
Joined: Mon Sep 21, 2009 8:09 pm

Re: PEAP Help - Screenshots?

Wed Jun 02, 2010 5:32 pm

OK.. so Unless I'm not understanding something, if I set up MAC, It is no longer using PEAP! Or at least username/password type auth for domain. It has to pass USER/PASS to the RADIUS, which looks to see if that user has rights to access certain wireless systems.

If I have to put in the user's MAC's into a database, I may as well leave it open.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: PEAP Help - Screenshots?

Thu Jun 03, 2010 9:27 am

It should work without radius-mac-authentication, monitor /radius monitor <0> to find out whether any packets are send to RADIUS or not, when MAC RADIUS authentication is off.

When EAP authentication is used (eap-method=passthrough),
router should send these attributes in Access-Request,

Access-Request is send, which contains:
User-Name - EAP supplicant identity (suplicant-identity from security-profles)
Nas-Port-Id - interface name
Acct-Session-Id - session-id (when radius-eap-accounting=yes)
Acct-Multi-Session-Id - id, when radius-eap-accounting=yes, to distinguish different sessions, format "AA-AA-AA-AA-AA-AA-CC-CC-CC-CC-CC-CC-XX-XX-XX-XX-XX-XX-XX-XX", where AA - AP
mac-adress, CC - client mac address, XX unique number;
Calling-Station-Id - client MAC-address "XX-XX-XX-XX-XX-XX"
Called-Station-Id - AP MAC address and SSID "XX-XX-XX-XX-XX-XX:ssid";
 
toniojst
just joined
Posts: 3
Joined: Thu Jul 13, 2023 6:07 pm

Re: PEAP Help - Screenshots?

Tue Mar 05, 2024 11:15 am

It should work without radius-mac-authentication, monitor /radius monitor <0> to find out whether any packets are send to RADIUS or not, when MAC RADIUS authentication is off.

When EAP authentication is used (eap-method=passthrough),
router should send these attributes in Access-Request,

Access-Request is send, which contains:
User-Name - EAP supplicant identity (suplicant-identity from security-profles)
Nas-Port-Id - interface name
Acct-Session-Id - session-id (when radius-eap-accounting=yes)
Acct-Multi-Session-Id - id, when radius-eap-accounting=yes, to distinguish different sessions, format "AA-AA-AA-AA-AA-AA-CC-CC-CC-CC-CC-CC-XX-XX-XX-XX-XX-XX-XX-XX", where AA - AP
mac-adress, CC - client mac address, XX unique number;
Calling-Station-Id - client MAC-address "XX-XX-XX-XX-XX-XX"
Called-Station-Id - AP MAC address and SSID "XX-XX-XX-XX-XX-XX:ssid";

I have also problem with connection mikrotik as cliente to 802.1x. Problme is that mikrotik dont send the identity. Here is all images can i get help here: viewtopic.php?p=1059141&hilit=wpa2+enterprise#p1059141

Who is online

Users browsing this forum: mysz0n, Pea, vbkp and 82 guests